+

US20090304008A1 - Network relay device and network relay method - Google Patents

Network relay device and network relay method Download PDF

Info

Publication number
US20090304008A1
US20090304008A1 US12/475,853 US47585309A US2009304008A1 US 20090304008 A1 US20090304008 A1 US 20090304008A1 US 47585309 A US47585309 A US 47585309A US 2009304008 A1 US2009304008 A1 US 2009304008A1
Authority
US
United States
Prior art keywords
regular
address
layer
port
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US12/475,853
Other versions
US8422493B2 (en
Inventor
Tomohiko Kono
Shinichi Akahane
Takao NARA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alaxala Networks Corp
Original Assignee
Alaxala Networks Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alaxala Networks Corp filed Critical Alaxala Networks Corp
Assigned to ALAXALA NETWORKS CORPORATION reassignment ALAXALA NETWORKS CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AKAHANE, SHINICHI, KONO, TOMOHIKO, NARA, TAKAO
Publication of US20090304008A1 publication Critical patent/US20090304008A1/en
Application granted granted Critical
Publication of US8422493B2 publication Critical patent/US8422493B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/66Layer 2 routing, e.g. in Ethernet based MAN's
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/663Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to a network relay device and a network relay method; and particularly to a network relay device and a network relay method adapted to detect an irregular terminal on a network.
  • DHCP Dynamic Host Configuration Protocol
  • IETF Internet Engineering Task Force
  • RFC Request for Comments
  • a DHCP protocol which is exchanged among a DHCP server and a terminal is monitored; and information about a terminal to which an address has been allocated by DHCP is managed through its IP address and MAC address, enabling communication only with a terminal that matches the managed information.
  • a DHCP protocol which is exchanged among a DHCP server and a terminal is monitored (DHCP snooping), filtering (IP Source Guard) utilizing an IP address, a port and a VLAN (Virtual Local Area Network) of a terminal to which an address has been allocated by DHCP is executed, and filtering (Port Security) utilizing a MAC address, a port and a VLAN of a terminal to which an address has been allocated by DHCP is executed.
  • IP Source Guard IP Source Guard
  • VLAN Virtual Local Area Network
  • the IP address, which is the layer 3 address, and the MAC address, which is the layer 2 address are handled separately. There accordingly exists a risk that a terminal having the DHCP-allocated IP address of a first terminal and the DHCP-allocated MAC address of a second terminal could not be prevented from irregular communication.
  • An object of the present invention is to provide a technology adapted to more carefully identify irregular communication by an irregular terminal.
  • a network relay device for relaying communication for a regular terminal via a port.
  • the network relay device comprises an acquiring module, a regular terminal information storing module, and a determination process module.
  • the acquiring module acquires a regular layer 2 address representing a layer 2 address allocated to the regular terminal, a regular layer 3 address representing a layer 3 address allocated to the regular terminal, regular VLAN information representing a VLAN assigned to the regular terminal, and regular port information representing a port to which the regular terminal is connected.
  • the regular terminal information storing module stores regular terminal information representing a combination of the acquired regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information.
  • the determination process module determines whether the combination of source layer 2 address, source layer 3 address, assigned VLAN, and reception port of target frame data received via the port is stored as the regular terminal information in the regular terminal information storing module. According to this network relay device, target frame data for which the combination of the source layer 2 address, the source layer 3 address, the assigned VLAN, and the reception port of the target frame data does not match the combination of the regular layer 2 address, the regular layer 3 address, the regular VLAN, and the regular port information that has been stored in the storing module as the regular terminal information will be identified as data belonging to an irregular terminal, whereby communication by an irregular terminal can be identified more carefully.
  • the present invention can be realized in various aspects.
  • the present invention can be realized in aspects such as a method of controlling a network relay device, a network relay method, or a method of controlling a network relay system.
  • the present invention can also be realized in aspects such as a computer program that controls a network relay device or a network relay system, a recording medium on which such computer program is recorded, or a computer program product that includes this recording medium.
  • FIG. 1 is a diagram depicting a configuration of a network system of Embodiment 1;
  • FIG. 2 is a block diagram depicting the configuration of the network relay device SW 1 in Embodiment 1;
  • FIG. 3 is a diagram depicting in overview an irregular terminal detection method in Embodiment 1;
  • FIG. 4 is a flowchart showing the process flow for setting up the network relay device SW 1 to conform to the network configuration, and initiating detection of irregular terminals;
  • FIG. 5 is a first flowchart depicting the process steps of a frame data reception process
  • FIG. 6 is a second flowchart depicting the process steps of the frame data reception process
  • FIG. 7 is an illustration depicting DHCP frame data
  • FIG. 8 is a flowchart depicting the process steps in a DHCP parsing process
  • FIG. 9 is a flowchart depicting the process steps of a layer 3 transport process
  • FIG. 10 is a flowchart depicting the process steps of a layer 2 transport process
  • FIG. 11 is a first flowchart depicting the process flow of an irregular terminal detection process
  • FIG. 12 is a second flowchart depicting the process flow of the irregular terminal detection process
  • FIG. 13 is a flowchart depicting process steps by the frame process determination module 480 and the MAC address learning processor 490 ;
  • FIG. 14 is a block diagram depicting the configuration of the network relay device SW 1 A in Embodiment 2;
  • FIG. 15 is a diagram depicting in overview an irregular terminal detection method in Embodiment 2;
  • FIG. 16 is a first flowchart depicting the process steps of an irregular terminal detection process in Embodiment 2;
  • FIG. 17 is a second flowchart depicting the process steps of the irregular terminal detection process in Embodiment 2.
  • FIG. 18 is an illustration depicting an overview of Embodiment 3.
  • FIG. 1 is a diagram depicting a configuration of a network system of Embodiment 1.
  • the network system of Embodiment 1 includes a DHCP server D 1 , switches SW 1 , SW 2 provided as network relay devices, terminals H 1 and H 2 , and an irregular terminal A.
  • network relay devices that are connected to other ports of the network relay device SW 1 are not shown.
  • the terminals H 1 and H 2 are terminals that are allocated IP addresses by DHCP (hereinafter also referred to as regular terminals).
  • Irregular terminal A has a MAC address that has been manually set to the MAC address of terminal H 1 and an IP address manually set to the IP address of terminal H 2 , which addresses have been acquired through means such a packet sniffing.
  • the irregular communication prevention method which is a feature of Embodiment 1 is an operation that takes place in the network relay device SW 1 .
  • the network relay device SW 2 is a switch that lacks a filtering function for preventing irregular communication, and is simply connected for network layering purposes.
  • the network relay devices SW 1 and SW 2 include a plurality of ports P 11 to P 1 n (n is an integer equal to 2 or greater).
  • the network relay device SW 1 also sets a plurality of VLANs V 11 to P 1 n (n is an integer equal to 2 or greater).
  • FIG. 2 is a block diagram depicting the configuration of the network relay device SW 1 in Embodiment 1.
  • the network relay device SW 1 has a management module 100 , a frame transport processor 200 , a protocol processor 300 , and a destination/process determination module 400 .
  • the management module 100 has a user interface 110 adapted to receive instructions from a user.
  • the protocol processor 300 carries out processes relating to protocols such as routing protocols and ARP (Address Resolution Protocol); it will not be discussed in detail.
  • the protocol processor 300 has a DHCP parsing processor 310 for carrying out processes relating to DHCP.
  • the destination/process determination module 400 includes a port status identification module 410 , a port status management table 411 , a VLAN status determination module 420 , a VLAN status management table 421 , a packet class determination module 430 , a layer 3 (L3) forwarding processor 440 , a routing table 441 , an ARP processor 450 , an ARP table 451 , a layer 2 (L2) forwarding processor 460 , an FDB (Forwarding Data Base) 461 , an irregular terminal detection module 470 , an authentication database 471 , a frame process determination module 480 , and a MAC address learning processor 490 .
  • L3 layer 3
  • FIG. 3 is a diagram depicting in overview an irregular terminal detection method in Embodiment 1.
  • Target frame data 800 for which the transport process is primarily be carried out by the network relay device SW 1 includes an Ethernet header 810 , an IP header 820 , and a payload 830 .
  • the Ethernet header 810 describes information that is used by the layer 2 protocol (in the present embodiment, Ethernet).
  • the Ethernet header 810 includes a destination MAC address (hereinafter DMAC), a source MAC address (hereinafter SMAC), and an VLAN-ID.
  • DMAC destination MAC address
  • SMAC source MAC address
  • VLAN-ID VLAN-ID
  • the VLAN-ID is information representing the VLAN (assigned VLAN) being used for the target frame data 800 .
  • the IP header 820 is a header that describes information used in processes taking place in the network layer.
  • the IP header 820 includes a source IP address (hereinafter SIP) and a destination IP address (hereinafter DIP).
  • SIP source IP address
  • DIP destination IP address
  • the payload represents the data proper which is the object of the transport process.
  • the authentication database 471 describes information for regular terminals (regular terminal information) whose IP addresses have been allocated by DHCP.
  • the regular terminal information described in the authentication database 471 includes, for each individual regular terminal, an allocated IP address (regular IP address IP REG ), regular VLAN information VL REG , regular port information PO REG , and a regular terminal MAC address (regular MAC address MAC REG ).
  • the regular VLAN information VL REG indicates the assigned VLAN (regular VLAN) of a regular terminal.
  • the regular port information PO REG indicates the port (regular port) that communicates with the regular terminal.
  • the network relay device SW 1 determines whether the target frame data 800 is regular data sent from a regular terminal, or irregular data sent from an irregular terminal. Specifically, the network relay device SW 1 determines whether the combination of source IP address of the target frame data 800 , assigned VLAN, reception port, and source MAC address of the target frame data 800 matches any of the combinations of regular terminal regular IP address IP REG , regular VLAN information VL REG , regular port information PO REG , and regular MAC address MAC REG that are described in the authentication database 471 . In the event that these combinations match, the target frame data 800 will be designated as data sent from a regular terminal, and a normal transport process will be carried out by the network relay device SW 1 . On the other hand, in the event that these combinations do not match, the network relay device SW 1 will designate the target frame data 800 as having been sent by an irregular terminal and will discard the data.
  • FIG. 4 is a flowchart showing the process flow for setting up the network relay device SW 1 to conform to the network configuration, and initiating detection of irregular terminals.
  • the management module 100 of the network relay device SW 1 receives an uplink/downlink instruction for each port from the device administrator (Step S 310 ).
  • An uplink port refers to a port to which the DHCP server D 1 is connected.
  • a port to which the DHCP server D 1 is connected via another switch is also considered as an uplink port.
  • a downlink port refers to a port to which the DHCP server D 1 is not connected.
  • Regular terminals that have been allocated IP addresses by the DHCP server D 1 is connected to downlink ports of switches.
  • the management module 100 of the network relay device SW 1 receives from the device administrator a DHCP snooping enable/disable instruction for each VLAN (Step S 320 ). This instruction is input to the network relay device SW 1 by the device administrator, through a management terminal (not shown) which is connected to the network relay device SW 1 .
  • FIG. 5 is a first flowchart depicting the process steps of a frame data reception process.
  • the frame transport processor 200 receives the frames and saves them in a frame accumulation memory, not shown (Step S 410 ).
  • the frame transport processor 200 extracts header information needed by the destination/process determination module 400 , e.g. the destination MAC address, source MAC address, VLAN-ID, destination IP address, and source IP address, and send this information to the destination/process determination module 400 (Step S 420 ).
  • control frame data for DHCP etc. it is preferable for control frame data for DHCP etc. to be given higher priority in control than ordinary frame data. For this reason, in preferred practice, the frame transport processor 200 determines whether the received frame data is control frame data for DHCP etc., and when saving data to the frame accumulation memory gives priority to data that has been determined to be control frame data for DHCP etc.
  • FIG. 6 is a second flowchart depicting the process steps of the frame data reception process.
  • the port status identification module 410 of the destination/process determination module 400 looks up in the port status management table 411 and check the status of the reception port (Step S 510 ). It is thereby recognized whether the reception port is an uplink port or a downlink port, for example.
  • the VLAN status determination module 420 of the destination/process determination module 400 determines the assigned VLAN of the target frame data 800 (Step S 520 ). The VLAN status determination module 420 of the destination/process determination module 400 then looks up in the VLAN status management table 421 and checks the status of the assigned VLAN (Step S 530 ). It is thereby recognized whether DHCP snooping is enabled for the VLAN, for example.
  • the packet class determination module 430 of the destination/process determination module 400 determines the protocol of the target frame data 800 , from the header information that is received from the frame transport processor 200 (Step S 540 ). If the frame type so determined is a DHCP frame, and if the VLAN status of the assigned VLAN has been set to enable DHCP snooping, the process proceeds to the DHCP parsing process (Step S 550 : YES). On the other hand, if the frame type so determined is not a DHCP frame, or if the VLAN status of the assigned VLAN has been set to disable DHCP snooping, (Step S 550 : NO), it is then determined whether layer 3 transport is needed (Step S 560 ). If layer 3 transport is needed, the process proceeds to the layer 3 transport process flow (Step S 560 : YES), whereas if layer 3 transport is not needed, the process proceeds to the layer 2 transport process flow (Step S 560 : NO).
  • FIG. 7 is an illustration depicting DHCP frame data.
  • the packet class determination module 430 of the destination/process determination module 400 determines whether the target frame data 800 is DHCP frame data F 100 by inspecting the target frame data 800 to determine if there is a DHCP header F 200 encapsulated with the Ethernet header, the IP header, and the UDP header.
  • FIG. 8 is a flowchart depicting the process steps in a DHCP parsing process.
  • the DHCP header F 200 is retrieved from the DHCP frame 100 , and checked (Step S 710 ).
  • Step S 710 it is determined whether the type of DHCP frame data is ACK, and whether the port status of the reception port is uplink (Step S 720 ). If the determination is positive (Step S 720 : YES), information for the regular terminal that has been newly allocated an IP address is appended the authentication database 471 that manages the regular terminal, in the form of a combination of regular MAC address, regular IP address, assigned VLAN of the regular terminal, and the port for communicating with the regular terminal.
  • the validity period of regular terminal information may be managed, and when the validity period expires, the registered information may be deleted automatically. For example, a validity period could be initialized in the event that setup is carried out again for a regular terminal that was managed previously. If on the other hand the determination is negative (Step S 720 : NO), it is determined whether the type of DHCP frame data is RELEASE, and whether the port status of the reception port is downlink (Step S 730 ). If this determination is positive (Step S 730 : YES), the authentication database 471 is searched to ascertain if the terminal that sent the RELEASE has been set up therein (Step S 740 ).
  • Step S 740 YES
  • the regular terminal information of the terminal that sent the RELEASE is deleted from the authentication database 471 .
  • the search result shows that the terminal is not registered in the authentication database 471 (Step S 740 : NO)
  • the target frame data 800 is discarded. If the aforementioned determination is negative (Step S 730 : NO), it is then determined whether layer 3 transport is needed (Step S 750 ). If layer 3 transport is needed, the process proceeds to the layer 3 transport process flow (Step S 750 : YES), whereas if layer 3 transport is not needed the process proceeds to the layer 2 transport process (Step S 750 : NO).
  • Regular terminal information registered in the authentication database 471 is saved in the form of a linked layer 2/3 database in which layer 2 information and layer 3 information are linked, for example.
  • FIG. 9 is a flowchart depicting the process steps of a layer 3 transport process.
  • the layer 3 forwarding processor 440 of the destination/process determination module 400 searches the routing table 431 by the destination IP address for the target frame data 800 ; and determines the VLAN that output the target frame data 800 (output VLAN) and the transport destination (Next Hop), and communicates this information to the ARP processor 450 of the destination/process determination module 400 (Step S 810 ).
  • the ARP processor 450 of the destination/process determination module 400 searches the ARP table 451 by the communicated next hop; and determines the MAC address of the next hop and communicates this information to the layer 2 forwarding processor 460 of the destination/process determination module 400 (Step S 820 ).
  • the layer 2 forwarding processor 460 of the destination/process determination module 400 searches the FDB 461 by the aforementioned MAC address, determines the output port of the target frame data 800 , and communicates this information to the irregular terminal detection module 470 (Step S 830 ).
  • FIG. 10 is a flowchart depicting the process steps of a layer 2 transport process.
  • the layer 2 forwarding processor 460 of the destination/process determination module 400 searches the FDB 461 by the assigned VLAN of the target frame data 800 and the destination MAC address, determines the output port of the target frame data 800 , and communicates this information to the irregular terminal detection module 470 (Step S 910 ).
  • FIG. 11 is a first flowchart depicting the process flow of an irregular terminal detection process.
  • FIG. 11 illustrates the irregular terminal detection process flow in a case where the target frame data 800 is an IP packet.
  • Step S 1001 it is determined whether the VLAN status is DHCP snooping enabled, and whether the port status of the reception port is downlink.
  • the irregular terminal detection module 470 of the destination/process determination module 400 searches the authentication database 471 by the target frame data 800 source MAC address, source IP address, assigned VLAN, and reception port (Step S 1002 ).
  • Step S 1003 YES
  • VLAN status is DHCP snooping disenabled or the port status of the reception port is uplink
  • Step S 1004 the irregular terminal detection module 470 communicates to the frame process determination module 480 the output port that was previously communicated to it by the layer 2 forwarding processor 460 (Step S 1004 ). If on the other hand, the search result indicates that no corresponding entry exists (Step S 1003 : NO), the irregular terminal detection module 470 communicates a discard instruction to the frame process determination module 480 (Step S 1005 ).
  • FIG. 12 is a second flowchart depicting the process flow of the irregular terminal detection process.
  • FIG. 12 illustrates the irregular terminal detection process flow in a case where the target frame data 800 is a non-IP packet.
  • the irregular terminal detection module 470 of the destination/process determination module 400 searches the authentication database 471 by the target frame data 800 source MAC address, assigned VLAN, and reception port (Step S 1102 ).
  • the irregular terminal detection module 470 communicates to the frame process determination module 480 the output port that was previously communicated to it by the layer 2 forwarding processor 460 (Step S 1104 ). If the authentication database 471 search result indicates that no corresponding entry exists (Step S 1103 : NO), the irregular terminal detection module 470 communicates a discard instruction to the frame process determination module 480 (Step S 1105 ).
  • FIG. 13 is a flowchart depicting process steps by the frame process determination module 480 and the MAC address learning processor 490 .
  • the frame process determination module 480 of the destination/process determination module 400 parses the determination result communicated to it by the irregular terminal detection module 470 (Step S 1201 ). If the result of parsing indicates a discard instruction (Step S 1202 : YES), the frame process determination module 480 discards the target frame data 800 (Step S 1203 ). If on the other hand result of parsing does not indicate a discard instruction (Step S 1202 : NO), the MAC address learning processor 490 carries out an FDB learning process with the target frame data 800 source MAC address (Step S 1204 ).
  • the FDB learning process is a process for learning an association of the source MAC address with the port to which the device having the source MAC address is connected.
  • the MAC address learning processor 490 communicates to the frame transport processor 200 the determination result that was communicated to it by the frame process determination module 480 (Step S 1205 ).
  • the frame transport processor 200 then sends the target frame data 800 from the output port that was communicated to it by the MAC address learning processor 490 (Step S 1206 ).
  • the network relay device SW 1 described above can successfully prevent irregular communication in a situation where an irregular terminal whose IP address and MAC address have been manually set to addresses identical to those of a regular terminal which has been allocated an IP address by the DHCP server has surreptitiously connected to a different port of a network relay device or to a different VLAN.
  • an irregular terminal that through packet sniffing or the like was able to acquire the IP address and MAC address of a terminal that was previously allocated an IP address by DHCP will not be able to connect to the network, even if its IP address has been manually set to one identical to a regular terminal, and its MAC address has been changed to one identical to a regular terminal.
  • irregular terminal detection will be carried out using a combination of the regular IP address IP REG (which is layer 3 information) together with the regular VLAN information VL REG , the regular MAC address MAC REG , and the regular port information PO REG , so communication by an irregular terminal can be identified more carefully.
  • IP REG which is layer 3 information
  • the irregular terminal detection process is carried out on the basis of a process of allocating IP addresses to terminals by DHCP.
  • the IP address allocation process is not limited to the DHCP protocol, and it is possible to adapt to various other technologies for allocating IP addresses to terminals through appropriate modification of the packet class determination module 430 and the protocol processor 300 .
  • the authentication database 471 By designing the authentication database 471 to be set up through a user interface, it will also be possible with the detection method according to the present invention to detect irregular terminals in situations where terminal IP addresses are configured manually rather than by a technology that allocates IP addresses to terminals.
  • the general configuration of the network system of Embodiment 2 is identical to the general configuration of the network system of Embodiment 1 described earlier with reference to FIG. 1 , and as such will not be discussed.
  • the network system of Embodiment 2 is provided with a network relay device SW 1 A in place of the network relay device SW 1 . Operation of the irregular terminal detection method which is a feature of Embodiment 2 takes place in the network relay device SW 1 A.
  • the network relay device SW 2 is a switch that lacks a filtering function for preventing irregular communication, and is simply connected for network layering purposes.
  • FIG. 14 is a block diagram depicting the configuration of the network relay device SW 1 A in Embodiment 2.
  • the network relay device SW 1 A has a management module 100 A, a frame transport processor 200 A, a protocol processor 300 A, and a destination/process determination module 400 A.
  • the management module 100 A has a user interface 110 A adapted to receive instructions from a user.
  • the protocol processor 300 A carries out processes relating to protocols such as routing protocols and ARP (Address Resolution Protocol); it will not be discussed in detail.
  • the protocol processor 300 A has a DHCP parsing processor 310 A for carrying out processes relating to DHCP.
  • the destination/process determination module 400 A includes a port status identification module 410 A, a port status management table 411 A, a VLAN status determination module 420 A, a VLAN status management module 421 A, a packet class determination module 430 A, a layer 3 forwarding processor 440 A, a routing table 441 A, an ARP processor 450 A, an ARP table 451 A, a layer 2 forwarding processor 460 A, an FDB 461 A, an irregular terminal detection module 470 A, a frame process determination module 480 A, and a MAC address learning processor 490 A.
  • FIG. 15 is a diagram depicting in overview an irregular terminal detection method in Embodiment 2.
  • regular terminal information is stored in the authentication database 471 which is an independent database; in Embodiment 2 however, regular terminal information is stored in relay lookup tables that the network relay device uses to identify transport destinations in normal transport processes. That is, a storing module for storing regular terminal information is provided within the relay lookup tables.
  • the network relay device SW 1 A of Embodiment 2 is provided, as relay lookup tables, with a routing table 441 A, an ARP table 451 A, and an FDB 461 A.
  • the regular IP address IP REG and the VLAN information VL REG are stored in the routing table 441 A. Also, from the regular terminal information, the regular MAC address MAC REG is stored in the ARP table 451 A, while the regular port information PO REG is stored in the FDB 461 A. These items of regular terminal information are stored in different areas (authentication areas) from areas where information used for transport processes (relay areas) is stored.
  • the transport areas and the authentication areas of the tables 441 A, 451 A, 461 A are identified by flags stored in the tables, for example. During lookup for the purpose of a transfer process, reference is made to relay areas.
  • the relay areas are managed by conventional functions such as routing protocol/ARP protocol/MAC learning etc.
  • the authentication areas are managed by the protocol processor 300 A.
  • the network relay device SW 1 A searches the routing table 441 A. If the target frame data 800 source IP address has been previously saved as a regular IP address IP REG in the routing table 441 A, it is confirmed that the source IP address is a regular IP address IP REG , and the regular VLAN information VLAN REG and the next hop are determined. The network relay device SW 1 then searches the ARP table 451 A on the basis of the next hop thusly determined. A regular MAC address MAC REG is determined as a result. The network relay device SW 1 A then searches the FDB 461 A on the basis of the MAC address MAC REG thusly determined. Regular port information PO REG is determined as a result.
  • the network relay device SW 1 A is able to extract the regular IP address IP REG , the regular VLAN information VLAN REG , the regular MAC address MAC REG , and the regular port information PO REG as regular port information by sequentially searching the tables 441 A, 451 A, 461 A.
  • the network relay device SW 1 A makes determinations as to whether target frame data 800 is regular data sent from a regular terminal, or irregular data send from an irregular terminal. Specifically, the network relay device SW 1 A determines whether the combination of the target frame data 800 source IP address, assigned VLAN, reception port, and source MAC address matches the extracted combination of regular terminal regular IP address IP REG , regular VLAN information VL REG , regular port information PO REG , and regular MAC address MAC REG . As in Embodiment 1, in the event that these combinations match, the network relay device SW 1 A designates the target frame data 800 as data sent from a regular terminal, and carries out the normal transport process. On the other hand, in the event that these combinations do not match, the network relay device SW 1 A designates the target frame data 800 as having been sent by an irregular terminal, and discards it.
  • FIG. 16 is a first flowchart depicting the process steps of an irregular terminal detection process in Embodiment 2.
  • FIG. 16 illustrates the irregular terminal detection process flow in a case where the received frame is an IP packet.
  • Step S 1401 it is determined whether the VLAN status is DHCP snooping enabled, and whether the port status of the reception port is downlink.
  • the irregular terminal detection module 470 A of the destination/process determination module 400 A communicates the received frame source IP address to the layer 3 forwarding processor 440 A of the destination/process determination module 400 A (Step S 1402 ).
  • the layer 3 forwarding processor 440 A of the destination/process determination module 400 A searches by the received frame source IP address for a direct route in the authentication area of the routing table 441 A; then determines the VLAN and the next hop, and communicates the VLAN and the next hop to the ARP processor 450 A of the destination/process determination module 400 A (Step S 1403 ).
  • the VLAN information communicated here is regular VLAN information VL REG .
  • the ARP processor 450 A of the destination/process determination module 400 A searches the ARP table 451 A by the previously determined next hop; then determines the MAC address that corresponds to the next hop, and communicates the aforementioned VLAN (regular VLAN information VL REG ) and the MAC address thusly determined to the layer 2 forwarding processor 460 A of the destination/process determination module 400 A (Step S 1404 ).
  • the MAC address communicated here is a regular MAC address MAC REG .
  • the layer 2 forwarding processor 460 A of the destination/process determination module 400 A searches the FDB 461 A by the previously determined VLAN (regular VLAN information VL REG ) and the previously determined MAC address (regular MAC address MAC REG ); then determines the port that corresponds to the MAC address, and communicates the aforementioned VLAN (regular VLAN information VL REG ), the MAC address (regular MAC address MAC REG ), and the port thusly determined to the irregular terminal detection module 470 A of the destination/process determination module 400 A (Step S 1405 ).
  • the port information that is communicated here is regular port information PO REG .
  • Step S 1406 YES
  • the irregular terminal detection module 470 A communicates to the frame process determination module 480 A the output port that was communicated to it from the layer 2 forwarding processor 460 A (Step S 1407 ). If the determination is that they do not match (Step S 1406 : NO), the irregular terminal detection module 470 A communicates to the frame process determination module 480 A a discard instruction (Step S 1408 ).
  • FIG. 17 is a second flowchart depicting the process steps of the irregular terminal detection process in Embodiment 2.
  • FIG. 17 illustrates the irregular terminal detection process flow in a case where the received frame is a non-IP packet.
  • the irregular terminal detection module 470 A of the destination/process determination module 400 A communicates the received frame source MAC address to the layer 2 forwarding processor 460 A of the destination/process determination module 400 A (Step S 1502 ).
  • the layer 2 forwarding processor 460 A of the destination/process determination module 400 A searches the FDB 461 A by the reception VLAN and source MAC address, then determines the port and communicates this to the irregular terminal detection module 470 A (Step S 1503 ).
  • the port information communicated here is regular port information PO REG .
  • Step S 1504 determines whether they are determined to match (Step S 1504 : YES), in the event that the VLAN status is DHCP snooping disabled, or the port status of the reception port is uplink (Step S 1501 : NO), the irregular terminal detection module 470 A communicates the output port that was communicated to it from the layer 2 forwarding processor 460 A, to the frame process determination module 480 A (Step S 1505 ). If they are determined to not match, (Step S 1504 : NO) the irregular terminal detection module 470 A communicates a discard instruction to the frame process determination module 480 A (Step S 1506 ).
  • the network relay device SW 1 A according to Embodiment 2 described above affords working effects comparable to those of the network relay device SW 1 of Embodiment 1.
  • the network relay device SW 1 A of Embodiment 2 obviates the need for the authentication database 471 that was required in Embodiment 1.
  • a simpler design for the network relay device SW 1 A can thus be attained through a reduced number of parts, smaller required memory capacity, and so on.
  • the memory capacity of the network relay device SW 1 A can be effectively utilized, for example, by being used for other purposes.
  • Embodiment 2 it is possible for some processes to be utilized in common with an existing uRPF function. Specifically, the function of path search by source IP address could be utilized in common. Thus, if operated simultaneously with the uRPF function, the function activation frequency of network process LSI will be lower than where the two functions operate independently, which will provide advantages in terms of energy conservation as well.
  • the irregular terminal detection process is carried out on the basis of a process of allocating IP addresses to terminals by DHCP.
  • the IP address allocation process is not limited to the DHCP protocol, and it is possible to adapt to various other technologies for allocating IP addresses to terminals through appropriate modification of the packet class determination module 430 A and the protocol processor 300 A.
  • the routing table 441 A, the ARP table 451 A, and the FDB 461 A so as to be set up through a user interface, using the detection method according to the present invention, it is also possible to detect irregular terminals in situations where terminal IP addresses are configured manually rather than by a technology that allocates IP addresses to terminals.
  • the present embodiment describes an example of terminals that are allocated IPv4 IP addresses, detection of IPv6 irregular terminals is possible in analogous fashion.
  • FIG. 18 is an illustration depicting an overview of Embodiment 3.
  • the routing protocol that manages the routing table 441 A the ARP protocol that manages the ARP table 451 A
  • the MAC learning process function that manages the FDB 461
  • the irregular terminal detection function As depicted in FIG.
  • each of the tables 441 A, 451 A, 461 A is provided with an authentication area; regular terminal information is registered therein separately from the relay area used for managing other control functions, with the authentication area being managed by the irregular terminal detection function.
  • regular terminal information is stored in the relay area in the same way as information for relay purposes.
  • the irregular terminal detection function manages the entry from the time that the entry is stored until it is deleted. Other processes, such as the irregular terminal detection process, are comparable to those in Embodiment 2 and will not be described.
  • Embodiment 3 described above affords working effects comparable to those of Embodiment 2. Additionally, since the tables 441 A, 451 A, 461 A are not provided with an authentication area, the memory capacity needed by the 441 A, 451 A, 461 A can be reduced.
  • the network relay devices SW 1 , SW 1 A are switches for carrying out layer 3 transport; however, the present invention may be implemented in a router instead.
  • the network relay devices SW 1 , SW 1 A may also be layer 2 switches for carrying out layer 2 transport. Even where the device is a layer 2 switch, in preferred practice, irregular terminal detection will be carried out based on a combination of the layer 3 information regular IP address IP REG with VLAN information VL REG , regular MAC address MAC REG , and regular port information PO REG .
  • the MAC address is employed as the layer 2 (data link layer) address
  • the IP address is employed as the layer 3 (network layer) address; however, this is because the network connecting the various devices in the embodiments employs the Ethernet (TM) standard as the data link layer protocol, and IP (Internet Protocol) as the network layer protocol.
  • TM Ethernet
  • IP Internet Protocol
  • the addresses employed in these protocols may be used. In this case, the data for transfer would be data used by the protocol of the data link layer, rather than Ethernet frames.
  • the frame transport processor 200 , the protocol processor 300 , the management module 100 , and the destination/process determination module 400 are constituted so as to be included in a single unit case.
  • some of these constituent elements may instead be provided separately to several unit cases.
  • the management module 100 and the protocol processor 300 may be provided as separate control management devices.
  • several network relay devices may be connected by cables, and a single network relay device SW 1 , SW 1 A may be composed of several network relay devices.
  • the aforementioned irregular terminal detection function may be provided to some or all of the several network relay devices that make up the network relay device SW 1 , SW 1 A.
  • frames that are determined to be target frame data 800 sent by an irregular terminal are discarded; however, they may instead be forwarded to an irregular frame data analysis unit or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network relay device for relaying communication for a regular terminal via a port includes an acquiring module, a regular terminal information storing module, and a determination process module. The acquiring module acquires a regular layer 2 address, a regular layer 3 address, regular VLAN information representing a VLAN assigned to the regular terminal, and regular port information representing a port to which the regular terminal is connected. The regular terminal information storing module stores regular terminal information representing a combination of the acquired regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information. The determination process module determines whether the combination of source layer 2 address, source layer 3 address, assigned VLAN, and reception port of target frame data received via the port is stored as the regular terminal information.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • The present application claims the priority based on a Japanese Patent Application No. 2008-147131 filed on Jun. 4, 2008, the disclosure of which is hereby incorporated by reference in its entirety.
    • BACKGROUND
  • 1. Technical Field
  • The present invention relates to a network relay device and a network relay method; and particularly to a network relay device and a network relay method adapted to detect an irregular terminal on a network.
  • 2. Description of Related Art
  • DHCP (Dynamic Host Configuration Protocol) is a method used for allocating an IP address to a terminal automatically. DHCP has been standardized by the IETF (Internet Engineering Task Force) and is published as RFC (Request for Comments) 2131. By allocating an IP address to an administered terminal only while not allocating an IP address to an irregular terminal, DHCP can prevent an irregular terminal from connecting to a network. However, an irregular terminal could still connect to a network, through manual setting of its IP address.
  • Technologies for preventing communication by an irregular terminal whose IP address has been set manually have been proposed in the past.
  • According to this technology, a DHCP protocol which is exchanged among a DHCP server and a terminal is monitored; and information about a terminal to which an address has been allocated by DHCP is managed through its IP address and MAC address, enabling communication only with a terminal that matches the managed information.
  • Other technologies besides the technology mentioned above for preventing communication by an irregular terminal whose IP address has been set manually have been proposed in the past.
  • According to this technology, a DHCP protocol which is exchanged among a DHCP server and a terminal is monitored (DHCP snooping), filtering (IP Source Guard) utilizing an IP address, a port and a VLAN (Virtual Local Area Network) of a terminal to which an address has been allocated by DHCP is executed, and filtering (Port Security) utilizing a MAC address, a port and a VLAN of a terminal to which an address has been allocated by DHCP is executed.
  • However, technologies mentioned above do not take into account the possibility that a MAC address of a terminal could be set manually. Thus, with the technologies, there exists a risk that an irregular terminal having a manually set IP address and MAC address identical to those of a terminal for which addresses have been allocated by DHCP is able to connect to a different port of the network relay device or to a different VLAN, so that irregular communication cannot be prevented.
  • According to the technologies, the IP address, which is the layer 3 address, and the MAC address, which is the layer 2 address, are handled separately. There accordingly exists a risk that a terminal having the DHCP-allocated IP address of a first terminal and the DHCP-allocated MAC address of a second terminal could not be prevented from irregular communication.
  • Thus, in consideration of the possibility that the MAC address of a terminal could be set manually, there exists a need to more carefully identify irregular communication by an irregular terminal.
    • SUMMARY
  • An object of the present invention is to provide a technology adapted to more carefully identify irregular communication by an irregular terminal.
  • In one aspect of the present invention, there is provided a network relay device for relaying communication for a regular terminal via a port. The network relay device comprises an acquiring module, a regular terminal information storing module, and a determination process module. The acquiring module acquires a regular layer 2 address representing a layer 2 address allocated to the regular terminal, a regular layer 3 address representing a layer 3 address allocated to the regular terminal, regular VLAN information representing a VLAN assigned to the regular terminal, and regular port information representing a port to which the regular terminal is connected. The regular terminal information storing module stores regular terminal information representing a combination of the acquired regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information. The determination process module determines whether the combination of source layer 2 address, source layer 3 address, assigned VLAN, and reception port of target frame data received via the port is stored as the regular terminal information in the regular terminal information storing module. According to this network relay device, target frame data for which the combination of the source layer 2 address, the source layer 3 address, the assigned VLAN, and the reception port of the target frame data does not match the combination of the regular layer 2 address, the regular layer 3 address, the regular VLAN, and the regular port information that has been stored in the storing module as the regular terminal information will be identified as data belonging to an irregular terminal, whereby communication by an irregular terminal can be identified more carefully.
  • The present invention can be realized in various aspects. For example, the present invention can be realized in aspects such as a method of controlling a network relay device, a network relay method, or a method of controlling a network relay system. The present invention can also be realized in aspects such as a computer program that controls a network relay device or a network relay system, a recording medium on which such computer program is recorded, or a computer program product that includes this recording medium.
  • These and other objects, features, aspects, and advantages of the present invention will become more apparent from the following detailed description of the preferred embodiments with the accompanying drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram depicting a configuration of a network system of Embodiment 1;
  • FIG. 2 is a block diagram depicting the configuration of the network relay device SW1 in Embodiment 1;
  • FIG. 3 is a diagram depicting in overview an irregular terminal detection method in Embodiment 1;
  • FIG. 4 is a flowchart showing the process flow for setting up the network relay device SW1 to conform to the network configuration, and initiating detection of irregular terminals;
  • FIG. 5 is a first flowchart depicting the process steps of a frame data reception process;
  • FIG. 6 is a second flowchart depicting the process steps of the frame data reception process;
  • FIG. 7 is an illustration depicting DHCP frame data;
  • FIG. 8 is a flowchart depicting the process steps in a DHCP parsing process;
  • FIG. 9 is a flowchart depicting the process steps of a layer 3 transport process;
  • FIG. 10 is a flowchart depicting the process steps of a layer 2 transport process;
  • FIG. 11 is a first flowchart depicting the process flow of an irregular terminal detection process;
  • FIG. 12 is a second flowchart depicting the process flow of the irregular terminal detection process;
  • FIG. 13 is a flowchart depicting process steps by the frame process determination module 480 and the MAC address learning processor 490;
  • FIG. 14 is a block diagram depicting the configuration of the network relay device SW1A in Embodiment 2;
  • FIG. 15 is a diagram depicting in overview an irregular terminal detection method in Embodiment 2;
  • FIG. 16 is a first flowchart depicting the process steps of an irregular terminal detection process in Embodiment 2;
  • FIG. 17 is a second flowchart depicting the process steps of the irregular terminal detection process in Embodiment 2; and
  • FIG. 18 is an illustration depicting an overview of Embodiment 3.
    •  DESCRIPTION OF THE PREFERRED EMBODIMENT A. Embodiment 1
  • FIG. 1 is a diagram depicting a configuration of a network system of Embodiment 1. The network system of Embodiment 1 includes a DHCP server D1, switches SW1, SW2 provided as network relay devices, terminals H1 and H2, and an irregular terminal A. To simplify the discussion, network relay devices that are connected to other ports of the network relay device SW1 are not shown. In FIG. 1, the terminals H1 and H2 are terminals that are allocated IP addresses by DHCP (hereinafter also referred to as regular terminals). Irregular terminal A, on the other hand, has a MAC address that has been manually set to the MAC address of terminal H1 and an IP address manually set to the IP address of terminal H2, which addresses have been acquired through means such a packet sniffing. The irregular communication prevention method which is a feature of Embodiment 1 is an operation that takes place in the network relay device SW1. The network relay device SW2 is a switch that lacks a filtering function for preventing irregular communication, and is simply connected for network layering purposes.
  • The network relay devices SW1 and SW2 include a plurality of ports P11 to P1 n (n is an integer equal to 2 or greater). The network relay device SW1 also sets a plurality of VLANs V11 to P1 n (n is an integer equal to 2 or greater).
  • FIG. 2 is a block diagram depicting the configuration of the network relay device SW1 in Embodiment 1. The network relay device SW1 has a management module 100, a frame transport processor 200, a protocol processor 300, and a destination/process determination module 400. The management module 100 has a user interface 110 adapted to receive instructions from a user. The protocol processor 300 carries out processes relating to protocols such as routing protocols and ARP (Address Resolution Protocol); it will not be discussed in detail. The protocol processor 300 has a DHCP parsing processor 310 for carrying out processes relating to DHCP.
  • The destination/process determination module 400 includes a port status identification module 410, a port status management table 411, a VLAN status determination module 420, a VLAN status management table 421, a packet class determination module 430, a layer 3 (L3) forwarding processor 440, a routing table 441, an ARP processor 450, an ARP table 451, a layer 2 (L2) forwarding processor 460, an FDB (Forwarding Data Base) 461, an irregular terminal detection module 470, an authentication database 471, a frame process determination module 480, and a MAC address learning processor 490.
  • FIG. 3 is a diagram depicting in overview an irregular terminal detection method in Embodiment 1. Prior to describing the specific operations of the constituent elements of the network relay device SW1 mentioned above, a brief overview of the irregular terminal detection method will be presented. Target frame data 800 for which the transport process is primarily be carried out by the network relay device SW1 includes an Ethernet header 810, an IP header 820, and a payload 830. The Ethernet header 810 describes information that is used by the layer 2 protocol (in the present embodiment, Ethernet). The Ethernet header 810 includes a destination MAC address (hereinafter DMAC), a source MAC address (hereinafter SMAC), and an VLAN-ID. The VLAN-ID is information representing the VLAN (assigned VLAN) being used for the target frame data 800. The IP header 820 is a header that describes information used in processes taking place in the network layer. The IP header 820 includes a source IP address (hereinafter SIP) and a destination IP address (hereinafter DIP). The payload represents the data proper which is the object of the transport process.
  • The authentication database 471 describes information for regular terminals (regular terminal information) whose IP addresses have been allocated by DHCP. The regular terminal information described in the authentication database 471 includes, for each individual regular terminal, an allocated IP address (regular IP address IPREG), regular VLAN information VLREG, regular port information POREG, and a regular terminal MAC address (regular MAC address MACREG). The regular VLAN information VLREG indicates the assigned VLAN (regular VLAN) of a regular terminal. The regular port information POREG indicates the port (regular port) that communicates with the regular terminal.
  • The network relay device SW1 determines whether the target frame data 800 is regular data sent from a regular terminal, or irregular data sent from an irregular terminal. Specifically, the network relay device SW1 determines whether the combination of source IP address of the target frame data 800, assigned VLAN, reception port, and source MAC address of the target frame data 800 matches any of the combinations of regular terminal regular IP address IPREG, regular VLAN information VLREG, regular port information POREG, and regular MAC address MACREG that are described in the authentication database 471. In the event that these combinations match, the target frame data 800 will be designated as data sent from a regular terminal, and a normal transport process will be carried out by the network relay device SW1. On the other hand, in the event that these combinations do not match, the network relay device SW1 will designate the target frame data 800 as having been sent by an irregular terminal and will discard the data.
  • Following is a detailed description of operations of the network relay device SW1.
    • Network Relay Device Settings
  • FIG. 4 is a flowchart showing the process flow for setting up the network relay device SW1 to conform to the network configuration, and initiating detection of irregular terminals. The management module 100 of the network relay device SW1 receives an uplink/downlink instruction for each port from the device administrator (Step S310). An uplink port refers to a port to which the DHCP server D1 is connected. A port to which the DHCP server D1 is connected via another switch is also considered as an uplink port. A downlink port refers to a port to which the DHCP server D1 is not connected. Regular terminals that have been allocated IP addresses by the DHCP server D1 is connected to downlink ports of switches. Next, the management module 100 of the network relay device SW1 receives from the device administrator a DHCP snooping enable/disable instruction for each VLAN (Step S320). This instruction is input to the network relay device SW1 by the device administrator, through a management terminal (not shown) which is connected to the network relay device SW1.
    • Frame Data Reception Process:
  • FIG. 5 is a first flowchart depicting the process steps of a frame data reception process. From the port P11 to P1 n at which the target frame data 800 has arrived, the frame transport processor 200 receives the frames and saves them in a frame accumulation memory, not shown (Step S410). From the received target frame data 800, the frame transport processor 200 extracts header information needed by the destination/process determination module 400, e.g. the destination MAC address, source MAC address, VLAN-ID, destination IP address, and source IP address, and send this information to the destination/process determination module 400 (Step S420).
  • From a network reliability standpoint, it is preferable for control frame data for DHCP etc. to be given higher priority in control than ordinary frame data. For this reason, in preferred practice, the frame transport processor 200 determines whether the received frame data is control frame data for DHCP etc., and when saving data to the frame accumulation memory gives priority to data that has been determined to be control frame data for DHCP etc.
  • FIG. 6 is a second flowchart depicting the process steps of the frame data reception process. Next, the port status identification module 410 of the destination/process determination module 400 looks up in the port status management table 411 and check the status of the reception port (Step S510). It is thereby recognized whether the reception port is an uplink port or a downlink port, for example.
  • From the header information that has been received from the frame transfer processor, the VLAN status determination module 420 of the destination/process determination module 400 determines the assigned VLAN of the target frame data 800 (Step S520). The VLAN status determination module 420 of the destination/process determination module 400 then looks up in the VLAN status management table 421 and checks the status of the assigned VLAN (Step S530). It is thereby recognized whether DHCP snooping is enabled for the VLAN, for example.
  • The packet class determination module 430 of the destination/process determination module 400 then determines the protocol of the target frame data 800, from the header information that is received from the frame transport processor 200 (Step S540). If the frame type so determined is a DHCP frame, and if the VLAN status of the assigned VLAN has been set to enable DHCP snooping, the process proceeds to the DHCP parsing process (Step S550: YES). On the other hand, if the frame type so determined is not a DHCP frame, or if the VLAN status of the assigned VLAN has been set to disable DHCP snooping, (Step S550: NO), it is then determined whether layer 3 transport is needed (Step S560). If layer 3 transport is needed, the process proceeds to the layer 3 transport process flow (Step S560: YES), whereas if layer 3 transport is not needed, the process proceeds to the layer 2 transport process flow (Step S560: NO).
  • FIG. 7 is an illustration depicting DHCP frame data. The packet class determination module 430 of the destination/process determination module 400 determines whether the target frame data 800 is DHCP frame data F100 by inspecting the target frame data 800 to determine if there is a DHCP header F200 encapsulated with the Ethernet header, the IP header, and the UDP header.
  • FIG. 8 is a flowchart depicting the process steps in a DHCP parsing process. In the DHCP parsing process, first, the DHCP header F200 is retrieved from the DHCP frame 100, and checked (Step S710). Next, it is determined whether the type of DHCP frame data is ACK, and whether the port status of the reception port is uplink (Step S720). If the determination is positive (Step S720: YES), information for the regular terminal that has been newly allocated an IP address is appended the authentication database 471 that manages the regular terminal, in the form of a combination of regular MAC address, regular IP address, assigned VLAN of the regular terminal, and the port for communicating with the regular terminal. The validity period of regular terminal information may be managed, and when the validity period expires, the registered information may be deleted automatically. For example, a validity period could be initialized in the event that setup is carried out again for a regular terminal that was managed previously. If on the other hand the determination is negative (Step S720: NO), it is determined whether the type of DHCP frame data is RELEASE, and whether the port status of the reception port is downlink (Step S730). If this determination is positive (Step S730: YES), the authentication database 471 is searched to ascertain if the terminal that sent the RELEASE has been set up therein (Step S740). If the search result shows that the terminal is registered in the authentication database 471 (Step S740: YES), the regular terminal information of the terminal that sent the RELEASE is deleted from the authentication database 471. If on the other hand the search result shows that the terminal is not registered in the authentication database 471 (Step S740: NO), the target frame data 800 is discarded. If the aforementioned determination is negative (Step S730: NO), it is then determined whether layer 3 transport is needed (Step S750). If layer 3 transport is needed, the process proceeds to the layer 3 transport process flow (Step S750: YES), whereas if layer 3 transport is not needed the process proceeds to the layer 2 transport process (Step S750: NO).
  • Regular terminal information registered in the authentication database 471 is saved in the form of a linked layer 2/3 database in which layer 2 information and layer 3 information are linked, for example.
  • FIG. 9 is a flowchart depicting the process steps of a layer 3 transport process. The layer 3 forwarding processor 440 of the destination/process determination module 400 searches the routing table 431 by the destination IP address for the target frame data 800; and determines the VLAN that output the target frame data 800 (output VLAN) and the transport destination (Next Hop), and communicates this information to the ARP processor 450 of the destination/process determination module 400 (Step S810). Next, the ARP processor 450 of the destination/process determination module 400 searches the ARP table 451 by the communicated next hop; and determines the MAC address of the next hop and communicates this information to the layer 2 forwarding processor 460 of the destination/process determination module 400 (Step S820). The layer 2 forwarding processor 460 of the destination/process determination module 400 then searches the FDB 461 by the aforementioned MAC address, determines the output port of the target frame data 800, and communicates this information to the irregular terminal detection module 470 (Step S830).
  • FIG. 10 is a flowchart depicting the process steps of a layer 2 transport process. The layer 2 forwarding processor 460 of the destination/process determination module 400 searches the FDB 461 by the assigned VLAN of the target frame data 800 and the destination MAC address, determines the output port of the target frame data 800, and communicates this information to the irregular terminal detection module 470 (Step S910).
    • Irregular Terminal Detection Process:
  • FIG. 11 is a first flowchart depicting the process flow of an irregular terminal detection process. FIG. 11 illustrates the irregular terminal detection process flow in a case where the target frame data 800 is an IP packet.
  • First, it is determined whether the VLAN status is DHCP snooping enabled, and whether the port status of the reception port is downlink (Step S1001). In the event that that VLAN status is DHCP snooping enabled, and additionally the port status of the reception port is downlink (Step S1001: YES), the irregular terminal detection module 470 of the destination/process determination module 400 searches the authentication database 471 by the target frame data 800 source MAC address, source IP address, assigned VLAN, and reception port (Step S1002). Where the authentication database 471 search result indicates that a corresponding entry exists (Step S1003: YES) and that VLAN status is DHCP snooping disenabled or the port status of the reception port is uplink (Step S1001: NO), the irregular terminal detection module 470 communicates to the frame process determination module 480 the output port that was previously communicated to it by the layer 2 forwarding processor 460 (Step S1004). If on the other hand, the search result indicates that no corresponding entry exists (Step S1003: NO), the irregular terminal detection module 470 communicates a discard instruction to the frame process determination module 480 (Step S1005).
  • FIG. 12 is a second flowchart depicting the process flow of the irregular terminal detection process. FIG. 12 illustrates the irregular terminal detection process flow in a case where the target frame data 800 is a non-IP packet. First, it is determined whether the VLAN status is DHCP snooping enabled, and whether the port status of the reception port is downlink (Step S1101). In the event that that VLAN status is DHCP snooping enabled, and additionally the port status of the reception port is downlink (Step S1101: YES), the irregular terminal detection module 470 of the destination/process determination module 400 searches the authentication database 471 by the target frame data 800 source MAC address, assigned VLAN, and reception port (Step S1102). Where the authentication database 471 search result indicates that a corresponding entry exists (Step S1103: YES), and that VLAN status is DHCP snooping disenabled or that the port status of the reception port is uplink (Step S1101: NO), the irregular terminal detection module 470 communicates to the frame process determination module 480 the output port that was previously communicated to it by the layer 2 forwarding processor 460 (Step S1104). If the authentication database 471 search result indicates that no corresponding entry exists (Step S1103: NO), the irregular terminal detection module 470 communicates a discard instruction to the frame process determination module 480 (Step S1105).
  • FIG. 13 is a flowchart depicting process steps by the frame process determination module 480 and the MAC address learning processor 490. The frame process determination module 480 of the destination/process determination module 400 parses the determination result communicated to it by the irregular terminal detection module 470 (Step S1201). If the result of parsing indicates a discard instruction (Step S1202: YES), the frame process determination module 480 discards the target frame data 800 (Step S1203). If on the other hand result of parsing does not indicate a discard instruction (Step S1202: NO), the MAC address learning processor 490 carries out an FDB learning process with the target frame data 800 source MAC address (Step S1204). Described in simple terms, the FDB learning process is a process for learning an association of the source MAC address with the port to which the device having the source MAC address is connected. Next, the MAC address learning processor 490 communicates to the frame transport processor 200 the determination result that was communicated to it by the frame process determination module 480 (Step S1205). The frame transport processor 200 then sends the target frame data 800 from the output port that was communicated to it by the MAC address learning processor 490 (Step S1206).
  • The network relay device SW1 described above can successfully prevent irregular communication in a situation where an irregular terminal whose IP address and MAC address have been manually set to addresses identical to those of a regular terminal which has been allocated an IP address by the DHCP server has surreptitiously connected to a different port of a network relay device or to a different VLAN. Thus, an irregular terminal that through packet sniffing or the like was able to acquire the IP address and MAC address of a terminal that was previously allocated an IP address by DHCP will not be able to connect to the network, even if its IP address has been manually set to one identical to a regular terminal, and its MAC address has been changed to one identical to a regular terminal.
  • Additionally, regardless of whether layer 3 transport or layer 2 transport is to be carried out on target frame data 800, irregular terminal detection will be carried out using a combination of the regular IP address IPREG (which is layer 3 information) together with the regular VLAN information VLREG, the regular MAC address MACREG, and the regular port information POREG, so communication by an irregular terminal can be identified more carefully.
  • Moreover, by discarding frames of an irregular terminal so as to prevent the MAC address learning process, impaired communication of regular terminals due to communication by an irregular terminal can be prevented.
    • Embodiment 1 Modification Examples
  • In the present invention, the irregular terminal detection process is carried out on the basis of a process of allocating IP addresses to terminals by DHCP. However, the IP address allocation process is not limited to the DHCP protocol, and it is possible to adapt to various other technologies for allocating IP addresses to terminals through appropriate modification of the packet class determination module 430 and the protocol processor 300.
  • By designing the authentication database 471 to be set up through a user interface, it will also be possible with the detection method according to the present invention to detect irregular terminals in situations where terminal IP addresses are configured manually rather than by a technology that allocates IP addresses to terminals.
  • While the present embodiment describes an example of terminals that are allocated IPv4 IP addresses, detection of IPv6 irregular terminals is possible in analogous fashion.
    • B. Embodiment 2
  • The general configuration of the network system of Embodiment 2 is identical to the general configuration of the network system of Embodiment 1 described earlier with reference to FIG. 1, and as such will not be discussed. However, the network system of Embodiment 2 is provided with a network relay device SW1A in place of the network relay device SW1. Operation of the irregular terminal detection method which is a feature of Embodiment 2 takes place in the network relay device SW1A. The network relay device SW2 is a switch that lacks a filtering function for preventing irregular communication, and is simply connected for network layering purposes.
  • FIG. 14 is a block diagram depicting the configuration of the network relay device SW1A in Embodiment 2. The network relay device SW1A has a management module 100A, a frame transport processor 200A, a protocol processor 300A, and a destination/process determination module 400A. The management module 100A has a user interface 110A adapted to receive instructions from a user. The protocol processor 300A carries out processes relating to protocols such as routing protocols and ARP (Address Resolution Protocol); it will not be discussed in detail. The protocol processor 300A has a DHCP parsing processor 310A for carrying out processes relating to DHCP.
  • The destination/process determination module 400A includes a port status identification module 410A, a port status management table 411A, a VLAN status determination module 420A, a VLAN status management module 421A, a packet class determination module 430A, a layer 3 forwarding processor 440A, a routing table 441A, an ARP processor 450A, an ARP table 451A, a layer 2 forwarding processor 460A, an FDB 461A, an irregular terminal detection module 470A, a frame process determination module 480A, and a MAC address learning processor 490A.
  • FIG. 15 is a diagram depicting in overview an irregular terminal detection method in Embodiment 2. Prior to describing the specific operations of the constituent elements of the network relay device SW1A mentioned above, a brief overview of the irregular terminal detection method will be presented. In Embodiment 1, regular terminal information is stored in the authentication database 471 which is an independent database; in Embodiment 2 however, regular terminal information is stored in relay lookup tables that the network relay device uses to identify transport destinations in normal transport processes. That is, a storing module for storing regular terminal information is provided within the relay lookup tables. The network relay device SW1A of Embodiment 2 is provided, as relay lookup tables, with a routing table 441A, an ARP table 451A, and an FDB 461A. In Embodiment 2, from the regular terminal information, the regular IP address IPREG and the VLAN information VLREG are stored in the routing table 441A. Also, from the regular terminal information, the regular MAC address MACREG is stored in the ARP table 451A, while the regular port information POREG is stored in the FDB 461A. These items of regular terminal information are stored in different areas (authentication areas) from areas where information used for transport processes (relay areas) is stored.
  • The transport areas and the authentication areas of the tables 441A, 451A, 461A are identified by flags stored in the tables, for example. During lookup for the purpose of a transfer process, reference is made to relay areas. The relay areas are managed by conventional functions such as routing protocol/ARP protocol/MAC learning etc. The authentication areas, on the other hand, are managed by the protocol processor 300A.
  • On the basis of the target frame data 800 source IP address, the network relay device SW1A searches the routing table 441A. If the target frame data 800 source IP address has been previously saved as a regular IP address IPREG in the routing table 441A, it is confirmed that the source IP address is a regular IP address IPREG, and the regular VLAN information VLANREG and the next hop are determined. The network relay device SW1 then searches the ARP table 451A on the basis of the next hop thusly determined. A regular MAC address MACREG is determined as a result. The network relay device SW1A then searches the FDB 461A on the basis of the MAC address MACREG thusly determined. Regular port information POREG is determined as a result. That is, based on the target frame data 800 source IP address, the network relay device SW1A is able to extract the regular IP address IPREG, the regular VLAN information VLANREG, the regular MAC address MACREG, and the regular port information POREG as regular port information by sequentially searching the tables 441A, 451A, 461A.
  • The network relay device SW1A makes determinations as to whether target frame data 800 is regular data sent from a regular terminal, or irregular data send from an irregular terminal. Specifically, the network relay device SW1A determines whether the combination of the target frame data 800 source IP address, assigned VLAN, reception port, and source MAC address matches the extracted combination of regular terminal regular IP address IPREG, regular VLAN information VLREG, regular port information POREG, and regular MAC address MACREG. As in Embodiment 1, in the event that these combinations match, the network relay device SW1A designates the target frame data 800 as data sent from a regular terminal, and carries out the normal transport process. On the other hand, in the event that these combinations do not match, the network relay device SW1A designates the target frame data 800 as having been sent by an irregular terminal, and discards it.
  • Following is a description of specific operations of the network relay device SW1A of Embodiment 2. With the exception of the irregular terminal detection process, operations of the network relay device SW1A are comparable to those of the network relay device SW1 of Embodiment 1; therefore, only the irregular terminal detection process will be discussed below.
    • Irregular Terminal Detection Process:
  • FIG. 16 is a first flowchart depicting the process steps of an irregular terminal detection process in Embodiment 2. FIG. 16 illustrates the irregular terminal detection process flow in a case where the received frame is an IP packet.
  • First, it is determined whether the VLAN status is DHCP snooping enabled, and whether the port status of the reception port is downlink (Step S1401). In the event that that VLAN status is DHCP snooping enabled, and additionally the status of the reception port is downlink (Step S1401: YES), the irregular terminal detection module 470A of the destination/process determination module 400A communicates the received frame source IP address to the layer 3 forwarding processor 440A of the destination/process determination module 400A (Step S1402). Next, the layer 3 forwarding processor 440A of the destination/process determination module 400A searches by the received frame source IP address for a direct route in the authentication area of the routing table 441A; then determines the VLAN and the next hop, and communicates the VLAN and the next hop to the ARP processor 450A of the destination/process determination module 400A (Step S1403). The VLAN information communicated here is regular VLAN information VLREG. The ARP processor 450A of the destination/process determination module 400A then searches the ARP table 451A by the previously determined next hop; then determines the MAC address that corresponds to the next hop, and communicates the aforementioned VLAN (regular VLAN information VLREG) and the MAC address thusly determined to the layer 2 forwarding processor 460A of the destination/process determination module 400A (Step S1404). The MAC address communicated here is a regular MAC address MACREG. The layer 2 forwarding processor 460A of the destination/process determination module 400A searches the FDB 461A by the previously determined VLAN (regular VLAN information VLREG) and the previously determined MAC address (regular MAC address MACREG); then determines the port that corresponds to the MAC address, and communicates the aforementioned VLAN (regular VLAN information VLREG), the MAC address (regular MAC address MACREG), and the port thusly determined to the irregular terminal detection module 470A of the destination/process determination module 400A (Step S1405). The port information that is communicated here is regular port information POREG.
  • Next, it is determined whether the aforementioned VLAN (regular VLAN information VLREG), the MAC address (regular MAC address MACREG), and the previously determined port (regular port information POREG) match the assigned VLAN, source MAC address, and reception port of the target frame data 800. If the determination is that they match (Step S1406: YES), and either the VLAN status is DHCP snooping disabled or the port status of the reception port is uplink (Step S1401: NO), the irregular terminal detection module 470A communicates to the frame process determination module 480A the output port that was communicated to it from the layer 2 forwarding processor 460A (Step S1407). If the determination is that they do not match (Step S1406: NO), the irregular terminal detection module 470A communicates to the frame process determination module 480A a discard instruction (Step S1408).
  • FIG. 17 is a second flowchart depicting the process steps of the irregular terminal detection process in Embodiment 2. FIG. 17 illustrates the irregular terminal detection process flow in a case where the received frame is a non-IP packet. First, it is determined whether the VLAN status is DHCP snooping enabled, and whether the port status of the reception port is downlink (Step S1501). In the event that that VLAN status is DHCP snooping enabled, and additionally the status of the reception port is downlink (Step S1501: YES), the irregular terminal detection module 470A of the destination/process determination module 400A communicates the received frame source MAC address to the layer 2 forwarding processor 460A of the destination/process determination module 400A (Step S1502). The layer 2 forwarding processor 460A of the destination/process determination module 400A searches the FDB 461A by the reception VLAN and source MAC address, then determines the port and communicates this to the irregular terminal detection module 470A (Step S1503). The port information communicated here is regular port information POREG. Next, it is determined whether the communicated regular port information POREG matches the reception port of the target frame data 800. If they are determined to match (Step S1504: YES), in the event that the VLAN status is DHCP snooping disabled, or the port status of the reception port is uplink (Step S1501: NO), the irregular terminal detection module 470A communicates the output port that was communicated to it from the layer 2 forwarding processor 460A, to the frame process determination module 480A (Step S1505). If they are determined to not match, (Step S1504: NO) the irregular terminal detection module 470A communicates a discard instruction to the frame process determination module 480A (Step S1506).
  • The network relay device SW1A according to Embodiment 2 described above affords working effects comparable to those of the network relay device SW1 of Embodiment 1.
  • Additionally, the network relay device SW1A of Embodiment 2 obviates the need for the authentication database 471 that was required in Embodiment 1. A simpler design for the network relay device SW1A can thus be attained through a reduced number of parts, smaller required memory capacity, and so on. Also, the memory capacity of the network relay device SW1A can be effectively utilized, for example, by being used for other purposes.
  • In Embodiment 2 it is possible for some processes to be utilized in common with an existing uRPF function. Specifically, the function of path search by source IP address could be utilized in common. Thus, if operated simultaneously with the uRPF function, the function activation frequency of network process LSI will be lower than where the two functions operate independently, which will provide advantages in terms of energy conservation as well.
    • Embodiment 2 Modification Examples
  • In the present invention, the irregular terminal detection process is carried out on the basis of a process of allocating IP addresses to terminals by DHCP. However, the IP address allocation process is not limited to the DHCP protocol, and it is possible to adapt to various other technologies for allocating IP addresses to terminals through appropriate modification of the packet class determination module 430A and the protocol processor 300A. By designing the routing table 441A, the ARP table 451A, and the FDB 461A so as to be set up through a user interface, using the detection method according to the present invention, it is also possible to detect irregular terminals in situations where terminal IP addresses are configured manually rather than by a technology that allocates IP addresses to terminals. Additionally, while the present embodiment describes an example of terminals that are allocated IPv4 IP addresses, detection of IPv6 irregular terminals is possible in analogous fashion.
    • C. Embodiment 3
  • FIG. 18 is an illustration depicting an overview of Embodiment 3. As in Embodiment 2, where regular terminal information is stored in the routing table 441A, the ARP table 451A, and the FDB 461A, management of the tables requires congruity with existing control functions. Specifically, it is necessary for there to be congruity between the routing protocol that manages the routing table 441A, the ARP protocol that manages the ARP table 451A, the MAC learning process function that manages the FDB 461, and the irregular terminal detection function. As depicted in FIG. 15, in Embodiment 2, each of the tables 441A, 451A, 461A is provided with an authentication area; regular terminal information is registered therein separately from the relay area used for managing other control functions, with the authentication area being managed by the irregular terminal detection function. In Embodiment 3, instead, no authentication area is provided, and regular terminal information is stored in the relay area in the same way as information for relay purposes. For entries described by regular terminal information in the tables 441B, 451B, 461B, the irregular terminal detection function manages the entry from the time that the entry is stored until it is deleted. Other processes, such as the irregular terminal detection process, are comparable to those in Embodiment 2 and will not be described.
  • Embodiment 3 described above affords working effects comparable to those of Embodiment 2. Additionally, since the tables 441A, 451A, 461A are not provided with an authentication area, the memory capacity needed by the 441A, 451A, 461A can be reduced.
    • D. Modified Embodiments Modified Embodiment 1
  • In the preceding embodiments, it is presumed that the network relay devices SW1, SW1A are switches for carrying out layer 3 transport; however, the present invention may be implemented in a router instead. The network relay devices SW1, SW1A may also be layer 2 switches for carrying out layer 2 transport. Even where the device is a layer 2 switch, in preferred practice, irregular terminal detection will be carried out based on a combination of the layer 3 information regular IP address IPREG with VLAN information VLREG, regular MAC address MACREG, and regular port information POREG.
    • Modified Embodiment 2
  • In the preceding embodiments, the MAC address is employed as the layer 2 (data link layer) address, and the IP address is employed as the layer 3 (network layer) address; however, this is because the network connecting the various devices in the embodiments employs the Ethernet (TM) standard as the data link layer protocol, and IP (Internet Protocol) as the network layer protocol. Of course, where other protocols are employed as the protocols for the data link layer and the network layer, the addresses employed in these protocols may be used. In this case, the data for transfer would be data used by the protocol of the data link layer, rather than Ethernet frames.
    • Modified Embodiment 3
  • In the preceding embodiments, the frame transport processor 200, the protocol processor 300, the management module 100, and the destination/process determination module 400 are constituted so as to be included in a single unit case. However, some of these constituent elements may instead be provided separately to several unit cases. For example, the management module 100 and the protocol processor 300 may be provided as separate control management devices. Alternatively, several network relay devices may be connected by cables, and a single network relay device SW1, SW1A may be composed of several network relay devices. In this case, the aforementioned irregular terminal detection function may be provided to some or all of the several network relay devices that make up the network relay device SW1, SW1A.
    • Modified Embodiment 4
  • Some of the arrangements which have been implemented through hardware in the preceding embodiments and modified embodiments may instead be implemented through software, and conversely some of the arrangements which have been implemented through software may instead be implemented through hardware.
    • Modified Embodiment 5
  • In the preceding embodiments, frames that are determined to be target frame data 800 sent by an irregular terminal are discarded; however, they may instead be forwarded to an irregular frame data analysis unit or the like.

Claims (20)

1. A network relay device for relaying communication for a regular terminal via a port, comprising:
an acquiring module configured to acquire a regular layer 2 address representing a layer 2 address allocated to the regular terminal, a regular layer 3 address representing a layer 3 address allocated to the regular terminal, regular VLAN information representing a VLAN assigned to the regular terminal, and regular port information representing a port to which the regular terminal is connected;
a regular terminal information storing module configured to store regular terminal information representing a combination of the acquired regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information; and
a determination process module configured to determine whether the combination of source layer 2 address, source layer 3 address, assigned VLAN, and reception port of target frame data received via the port is stored as the regular terminal information in the regular terminal information storing module.
2. A network relay device according to claim 1, further comprising:
a transport process module configured to execute transport of the target frame data when the combination is determined, through the determination, to have been stored as the regular terminal information in the regular terminal information storing module; and not to execute transport of the target frame data when the combination is determined to have not been stored as the regular terminal information in the regular terminal information storing module.
3. A network relay device according to claim 1, wherein
the acquiring module acquires the regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information through monitoring DHCP frame that is frame data sent and received between the regular terminal and a DHCP server via the port;
4. A network relay device according to claim 3, wherein
the target frame data is frame data other than the DHCP frame.
5. A network relay device according to claim 1, wherein
the determination is executed irrespective of whether the target frame data is targeted for layer 3 transport or targeted for layer 2 transport.
6. A network relay device according to claim 1, wherein
a process of learning the source layer 2 address is carried out for the target frame data that is determined to have been stored as the regular terminal information in the regular terminal information storing module, and
a process of learning the source layer 2 address is not be carried out for the target frame data that is determined to have not been stored as the regular terminal information in the regular terminal information storing module.
7. A network relay device according to claim 1, further comprising:
one or a plurality of relay lookup tables for identifying, based on a destination layer 3 address of the target frame data, from among the port an output port that outputs the target frame data;
wherein the regular terminal information storing module is provided within the one or plurality of relay lookup tables.
8. A network relay device according to claim 7, wherein
the one or plurality of relay lookup tables include:
a layer 3 routing table that relates a source layer 3 address with a next hop and an assigned VLAN;
a layer 2 address lookup table that relates the next hop with a layer 2 address; and
a port lookup table that relates the layer 2 address with the output port;
and wherein
the regular layer 3 address and the regular VLAN information within the regular terminal information are stored in the layer 3 routing table;
the regular layer 2 address within the regular terminal information is stored in the layer 2 address lookup table;
the regular port information within the regular terminal information is stored in the port lookup table; and
the regular VLAN information, the regular layer 2 address, and the regular port information corresponding to the regular layer 3 address can be extracted through sequential lookup in the layer 3 routing table, the layer 2 address lookup table, and the port lookup table, based on the regular layer 3 address.
9. A network relay device according to claim 8, wherein
the determination process module determines whether the combination of the source layer 2 address, assigned VLAN, and reception port of the target frame data is stored as the regular terminal information when the target frame data lacks a source layer 3 address.
10. A network relay device according to claim 1, wherein
the layer 3 address is an IP address.
11. A network relay device according to claim 1, wherein
the layer 2 address is a MAC address.
12. A network relay method for relaying communication for a regular terminal via a port, comprising the steps of:
(a) acquiring a regular layer 2 address representing a layer 2 address allocated to the regular terminal, a regular layer 3 address representing a layer 3 address allocated to the regular terminal, regular VLAN information representing a VLAN assigned to the regular terminal, and regular port information representing a port to which the regular terminal is connected;
(b) storing regular terminal information representing a combination of the acquired regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information, and managing the regular terminal; and
(c) determining whether the combination of source layer 2 address, source layer 3 address, assigned VLAN, and reception port of target frame data received via the port is stored as the regular terminal information.
13. A network relay method according to claim 12, further comprising:
(d) executing transport of the target frame data only when the combination is determined, through the determining step, to have been stored as the regular terminal information.
14. A network relay method according to claim 12, wherein
the acquiring step is a step of acquiring the regular layer 2 address, the regular layer 3 address, the regular VLAN information, and the regular port information through monitoring DHCP frame that is frame data sent and received between the regular terminal and a DHCP server via the port.
15. A network relay method according to claim 14, wherein
the target frame data is frame data other than the DHCP frame.
16. A network relay method according to claim 12, wherein
the determining step is executed irrespective of whether the target frame data is targeted for layer 3 transport or targeted for layer 2 transport.
17. A network relay method according to claim 12, wherein
a process of learning the source layer 2 address is carried out for the target frame data that is determined to have been stored as the regular terminal information, and
a process of learning the source layer 2 address is not be carried out for the target frame data that is determined to have not been stored as the regular terminal information.
18. A network relay method according to claim 12, further comprising:
(e) providing one or a plurality of relay lookup tables for identifying, based on a destination layer 3 address of the target frame data, from among the port an output port that outputs the target frame data;
wherein the storing step is a step of storing the regular terminal information within the one or plurality of relay lookup tables.
19. A network relay method according to claim 18, wherein
the one or plurality of relay lookup tables include:
a layer 3 routing table that relates a source layer 3 address with a next hop and an assigned VLAN;
a layer 2 address lookup table that relates the next hop with a layer 2 address; and
a port lookup table that relates the layer 2 address with the output port;
and wherein
the regular layer 3 address and the regular VLAN information within the regular terminal information are stored in the layer 3 routing table;
the regular layer 2 address within the regular terminal information is stored in the layer 2 address lookup table;
the regular port information within the regular terminal information is stored in the port lookup table; and
the regular VLAN information, the regular layer 2 address, and the regular port information corresponding to the regular layer 3 address can be extracted through sequential lookup in the layer 3 routing table, the layer 2 address lookup table, and the port lookup table, based on the regular layer 3 address.
20. A network relay method according to claim 19, wherein
the determining step is a step of determining whether the combination of the source layer 2 address, assigned VLAN, and reception port of the target frame data is stored as the regular terminal information when the target frame data lacks a source layer 3 address.
US12/475,853 2008-06-04 2009-06-01 Network relay device and network relay method Active 2031-02-21 US8422493B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008-147131 2008-06-04
JP2008147131A JP4734374B2 (en) 2008-06-04 2008-06-04 Network relay device and network relay device method

Publications (2)

Publication Number Publication Date
US20090304008A1 true US20090304008A1 (en) 2009-12-10
US8422493B2 US8422493B2 (en) 2013-04-16

Family

ID=41400267

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/475,853 Active 2031-02-21 US8422493B2 (en) 2008-06-04 2009-06-01 Network relay device and network relay method

Country Status (2)

Country Link
US (1) US8422493B2 (en)
JP (1) JP4734374B2 (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110030032A1 (en) * 2009-07-30 2011-02-03 Calix Networks, Inc. Secure dhcp processing for layer two access networks
US20110029645A1 (en) * 2009-07-30 2011-02-03 Calix Networks, Inc. Secure dhcp processing for layer two access networks
US20120084840A1 (en) * 2010-10-04 2012-04-05 Alaxala Networks Corporation Terminal connection status management with network authentication
EP2579509A1 (en) * 2010-06-07 2013-04-10 Huawei Technologies Co., Ltd. Method, device and system for service configuration
US20130144995A1 (en) * 2010-09-03 2013-06-06 Shuji Ishii Control apparatus, a communication system, a communication method and a recording medium having recorded thereon a communication program
CN103152276A (en) * 2012-11-23 2013-06-12 华为技术有限公司 Port configuration method and Ethernet switch
US20130201990A1 (en) * 2010-08-06 2013-08-08 Beijing Qiantang Network Technology Company, Ltd. Method and system of accessing network for access network device
CN103262477A (en) * 2010-12-16 2013-08-21 村田机械株式会社 Relay communication system and relay servers
WO2014035819A1 (en) * 2012-08-30 2014-03-06 Qualcomm Incorporated Layer 2 address management in 3 address only capable access points in networks with relays
WO2014191082A1 (en) * 2013-05-29 2014-12-04 Alcatel Lucent Detection of an unknown host device in a communication network
US8914467B2 (en) 2011-05-23 2014-12-16 Fujitsu Limited Information processing apparatus, system, and storage medium
CN104253878A (en) * 2014-09-09 2014-12-31 烽火通信科技股份有限公司 VLAN (Virtual Local Area Network) information management system and method of DHCP (Dynamic Host Configuration Protocol) RELAY termination sub-interface
CN104584640A (en) * 2012-08-30 2015-04-29 高通股份有限公司 Layer 2 address management in 3 address only capable access points in networks with relays
US9066287B2 (en) 2012-01-24 2015-06-23 Qualcomm Incorporated Systems and methods of relay selection and setup
US9155101B2 (en) 2012-08-30 2015-10-06 Qualcomm Incorporated Systems and methods for dynamic association ordering based on service differentiation in wireless local area networks
US20160014018A1 (en) * 2013-03-15 2016-01-14 Extreme Networks, Inc. Apparatus and Method for Multicast Data Packet Forwarding
US9794796B2 (en) 2012-06-13 2017-10-17 Qualcomm, Incorporation Systems and methods for simplified store and forward relays
CN107317755A (en) * 2017-08-23 2017-11-03 普联技术有限公司 A kind of hardware forwarding table error correction method, device and computer-readable recording medium
US20180287889A1 (en) * 2017-03-28 2018-10-04 Huawei Technologies Co., Ltd. Network Service Configuration Method and Network Management Device
US10985991B2 (en) 2014-06-02 2021-04-20 Yamaha Corporation Relay device, program, and display control method
US10992671B2 (en) * 2018-10-31 2021-04-27 Bank Of America Corporation Device spoofing detection using MAC authentication bypass endpoint database access control
US11128577B2 (en) * 2018-11-21 2021-09-21 Denso Corporation Relay apparatus
US11171871B2 (en) 2018-11-29 2021-11-09 Denso Corporation Relay apparatus
US11277283B2 (en) * 2019-08-30 2022-03-15 Hewlett Packard Enterprise Development Lp Resilient zero touch provisioning
US11283713B2 (en) 2019-03-29 2022-03-22 Denso Corporation Relay device
US11290308B2 (en) 2019-03-29 2022-03-29 Denso Corporation Relay device
US11606333B1 (en) * 2022-03-04 2023-03-14 Cisco Technology, Inc. Synchronizing dynamic host configuration protocol snoop information

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4892745B2 (en) * 2008-03-26 2012-03-07 Necフィールディング株式会社 Apparatus and method for authenticating connection of authentication switch
US8537831B2 (en) * 2010-02-17 2013-09-17 Alcatel Lucent Method and system for common group action filtering in telecom network environments
JP5593983B2 (en) * 2010-09-06 2014-09-24 日本電気株式会社 Remote access system, server, and remote access method
JP5534023B2 (en) * 2010-09-24 2014-06-25 富士通株式会社 Base station, base station control method, and information processing system
US10409743B1 (en) 2018-06-29 2019-09-10 Xilinx, Inc. Transparent port aggregation in multi-chip transport protocols
JP2019017123A (en) * 2018-11-06 2019-01-31 ヤマハ株式会社 Repeating installation and program
US10817455B1 (en) 2019-04-10 2020-10-27 Xilinx, Inc. Peripheral I/O device with assignable I/O and coherent domains
US10817462B1 (en) 2019-04-26 2020-10-27 Xilinx, Inc. Machine learning model updates to ML accelerators
US11586369B2 (en) 2019-05-29 2023-02-21 Xilinx, Inc. Hybrid hardware-software coherent framework
US11074208B1 (en) 2019-07-24 2021-07-27 Xilinx, Inc. Routing network using global address map with adaptive main memory expansion for a plurality of home agents
US11372769B1 (en) 2019-08-29 2022-06-28 Xilinx, Inc. Fine-grained multi-tenant cache management
US11093394B1 (en) 2019-09-04 2021-08-17 Xilinx, Inc. Delegated snoop protocol
US11113194B2 (en) 2019-09-04 2021-09-07 Xilinx, Inc. Producer-to-consumer active direct cache transfers
US11474871B1 (en) 2019-09-25 2022-10-18 Xilinx, Inc. Cache coherent acceleration function virtualization
US11271860B1 (en) 2019-11-15 2022-03-08 Xilinx, Inc. Compressed tag coherency messaging
US11386031B2 (en) 2020-06-05 2022-07-12 Xilinx, Inc. Disaggregated switch control path with direct-attached dispatch
US11556344B2 (en) 2020-09-28 2023-01-17 Xilinx, Inc. Hardware coherent computational expansion memory

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070041373A1 (en) * 2005-08-18 2007-02-22 Hong Kong Applied Science And Technology Research Institute Co. Ltd. Intelligent switching for secure and reliable voice-over-IP PBX service
US20090300178A1 (en) * 2005-04-27 2009-12-03 Peter Saunderson Network including snooping
US7672293B2 (en) * 2006-03-10 2010-03-02 Hewlett-Packard Development Company, L.P. Hardware throttling of network traffic sent to a processor based on new address rates

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3996288B2 (en) * 1998-12-07 2007-10-24 株式会社日立製作所 Communication network system management method and information relay apparatus
JP2004104355A (en) * 2002-09-06 2004-04-02 Furukawa Electric Co Ltd:The Method and apparatus for managing network address and network address management system
JP4245486B2 (en) * 2004-01-08 2009-03-25 富士通株式会社 Network unauthorized connection prevention method and apparatus
JP4652092B2 (en) * 2005-03-18 2011-03-16 富士通株式会社 Frame relay device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090300178A1 (en) * 2005-04-27 2009-12-03 Peter Saunderson Network including snooping
US20070041373A1 (en) * 2005-08-18 2007-02-22 Hong Kong Applied Science And Technology Research Institute Co. Ltd. Intelligent switching for secure and reliable voice-over-IP PBX service
US7672293B2 (en) * 2006-03-10 2010-03-02 Hewlett-Packard Development Company, L.P. Hardware throttling of network traffic sent to a processor based on new address rates

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8862705B2 (en) 2009-07-30 2014-10-14 Calix, Inc. Secure DHCP processing for layer two access networks
US20110029645A1 (en) * 2009-07-30 2011-02-03 Calix Networks, Inc. Secure dhcp processing for layer two access networks
US8875233B2 (en) * 2009-07-30 2014-10-28 Catix, Inc. Isolation VLAN for layer two access networks
US20120131097A1 (en) * 2009-07-30 2012-05-24 Calix, Inc. Isolation vlan for layer two access networks
US8341725B2 (en) * 2009-07-30 2012-12-25 Calix, Inc. Secure DHCP processing for layer two access networks
US20110030032A1 (en) * 2009-07-30 2011-02-03 Calix Networks, Inc. Secure dhcp processing for layer two access networks
EP2579509A1 (en) * 2010-06-07 2013-04-10 Huawei Technologies Co., Ltd. Method, device and system for service configuration
US20130097294A1 (en) * 2010-06-07 2013-04-18 Huawei Technologies Co., Ltd. Service configuration method, device and system
US9495327B2 (en) * 2010-06-07 2016-11-15 Huawei Technologies Co., Ltd. Service configuration method, device and system
EP2579509A4 (en) * 2010-06-07 2013-04-10 Huawei Tech Co Ltd Method, device and system for service configuration
US20130201990A1 (en) * 2010-08-06 2013-08-08 Beijing Qiantang Network Technology Company, Ltd. Method and system of accessing network for access network device
US9154404B2 (en) * 2010-08-06 2015-10-06 Beijing Qiantang Network Technology Company, Ltd. Method and system of accessing network for access network device
US9531566B2 (en) * 2010-09-03 2016-12-27 Nec Corporation Control apparatus, a communication system, a communication method and a recording medium having recorded thereon a communication program including a control unit, a network configuration information management unit, and a path control unit
US20130144995A1 (en) * 2010-09-03 2013-06-06 Shuji Ishii Control apparatus, a communication system, a communication method and a recording medium having recorded thereon a communication program
US20120084840A1 (en) * 2010-10-04 2012-04-05 Alaxala Networks Corporation Terminal connection status management with network authentication
US8910248B2 (en) * 2010-10-04 2014-12-09 Alaxala Networks Corporation Terminal connection status management with network authentication
CN103262477A (en) * 2010-12-16 2013-08-21 村田机械株式会社 Relay communication system and relay servers
EP2654253A1 (en) * 2010-12-16 2013-10-23 Murata Machinery, Ltd. Relay communication system and relay servers
TWI568218B (en) * 2010-12-16 2017-01-21 Murata Machinery Ltd Relay communication system and relay server
EP2654253A4 (en) * 2010-12-16 2015-04-22 Murata Machinery Ltd RELAY COMMUNICATION SYSTEM AND RELAY SERVERS
US8914467B2 (en) 2011-05-23 2014-12-16 Fujitsu Limited Information processing apparatus, system, and storage medium
US9066287B2 (en) 2012-01-24 2015-06-23 Qualcomm Incorporated Systems and methods of relay selection and setup
US9794796B2 (en) 2012-06-13 2017-10-17 Qualcomm, Incorporation Systems and methods for simplified store and forward relays
WO2014035819A1 (en) * 2012-08-30 2014-03-06 Qualcomm Incorporated Layer 2 address management in 3 address only capable access points in networks with relays
US9155101B2 (en) 2012-08-30 2015-10-06 Qualcomm Incorporated Systems and methods for dynamic association ordering based on service differentiation in wireless local area networks
CN104584640A (en) * 2012-08-30 2015-04-29 高通股份有限公司 Layer 2 address management in 3 address only capable access points in networks with relays
US9510271B2 (en) 2012-08-30 2016-11-29 Qualcomm Incorporated Systems, apparatus, and methods for address format detection
CN103152276A (en) * 2012-11-23 2013-06-12 华为技术有限公司 Port configuration method and Ethernet switch
US10187293B2 (en) * 2013-03-15 2019-01-22 Extreme Networks, Inc. Apparatus and method for multicast data packet forwarding
US20160014018A1 (en) * 2013-03-15 2016-01-14 Extreme Networks, Inc. Apparatus and Method for Multicast Data Packet Forwarding
WO2014191082A1 (en) * 2013-05-29 2014-12-04 Alcatel Lucent Detection of an unknown host device in a communication network
US10985991B2 (en) 2014-06-02 2021-04-20 Yamaha Corporation Relay device, program, and display control method
CN104253878A (en) * 2014-09-09 2014-12-31 烽火通信科技股份有限公司 VLAN (Virtual Local Area Network) information management system and method of DHCP (Dynamic Host Configuration Protocol) RELAY termination sub-interface
US20180287889A1 (en) * 2017-03-28 2018-10-04 Huawei Technologies Co., Ltd. Network Service Configuration Method and Network Management Device
CN108667638A (en) * 2017-03-28 2018-10-16 华为技术有限公司 A network service configuration method and network management equipment
US10972362B2 (en) * 2017-03-28 2021-04-06 Huawei Technologies Co., Ltd. Network service configuration method and network management device
CN107317755A (en) * 2017-08-23 2017-11-03 普联技术有限公司 A kind of hardware forwarding table error correction method, device and computer-readable recording medium
US10992671B2 (en) * 2018-10-31 2021-04-27 Bank Of America Corporation Device spoofing detection using MAC authentication bypass endpoint database access control
US11128577B2 (en) * 2018-11-21 2021-09-21 Denso Corporation Relay apparatus
US11171871B2 (en) 2018-11-29 2021-11-09 Denso Corporation Relay apparatus
US11283713B2 (en) 2019-03-29 2022-03-22 Denso Corporation Relay device
US11290308B2 (en) 2019-03-29 2022-03-29 Denso Corporation Relay device
US11277283B2 (en) * 2019-08-30 2022-03-15 Hewlett Packard Enterprise Development Lp Resilient zero touch provisioning
US11855809B2 (en) 2019-08-30 2023-12-26 Hewlett Packard Enterprise Development Lp Resilient zero touch provisioning
US11606333B1 (en) * 2022-03-04 2023-03-14 Cisco Technology, Inc. Synchronizing dynamic host configuration protocol snoop information
US12088552B2 (en) 2022-03-04 2024-09-10 Cisco Technology, Inc. Synchronizing dynamic host configuration protocol snoop information

Also Published As

Publication number Publication date
JP2009296246A (en) 2009-12-17
JP4734374B2 (en) 2011-07-27
US8422493B2 (en) 2013-04-16

Similar Documents

Publication Publication Date Title
US8422493B2 (en) Network relay device and network relay method
CN107911258B (en) SDN network-based security resource pool implementation method and system
EP3248331B1 (en) Method for controlling switches to capture and monitor network traffic
JP4919608B2 (en) Packet transfer device
US7286539B2 (en) Packet forwarding apparatus with function of limiting the number of user terminals to be connected to ISP
CN102857416B (en) A kind of realize the method for virtual network, controller and virtual network
US10205657B2 (en) Packet forwarding in data center network
US8819267B2 (en) Network virtualization without gateway function
WO2012077603A1 (en) Computer system, controller, and network monitoring method
EP2068498B1 (en) Method and network device for communicating between different components
EP3148149A1 (en) Service flow processing method, apparatus and device
US20130170354A1 (en) Computer system and communication method in computer system
US8340092B2 (en) Switching system and method in switching system
US9900238B2 (en) Overlay network-based original packet flow mapping apparatus and method therefor
CN101263696A (en) Routing data packets from multihomed hosts
US20160087887A1 (en) Routing fabric
EP2548346B1 (en) Packet node for applying service path routing at the mac layer
US20170048154A1 (en) Redirection ip packet through switch fabric
US10084702B2 (en) Packet processing method and system, and device
CN108667709B (en) Message forwarding method and device
US7835341B2 (en) Packet communication apparatus
CN113923076A (en) SD-WAN-based Ethernet two-layer data exchange method
JP5407712B2 (en) Communication apparatus and communication control method
JP2018064228A (en) Packet controller
CN108183859B (en) Internet traffic scheduling method and system

Legal Events

Date Code Title Description
AS Assignment

Owner name: ALAXALA NETWORKS CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KONO, TOMOHIKO;AKAHANE, SHINICHI;NARA, TAKAO;REEL/FRAME:023138/0290

Effective date: 20090611

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载